Data Protection Statement
This Data Protection Statement informs you how, to what extent and to what purpose your personal data (hereinafter referred to in abbreviated form as “data”) is processed in connection with our website as well as associated websites, functions, content and external websites such as our social media profiles (hereinafter referred to collectively as our “website”). Terms such as “processing” and “controller” are used in accordance with the definitions set out in Article 4 of the General Data Protection Regulation (GDPR).
Person responsible: Robert Schlotter
Name/company: Robert Schlotter
Street, number: Walther-Rathenau-Str. 68
Postcode, city, country: 33602, Bielefeld, Germany
Commercial register/reg. no.: < Text >
Owner: Dipl. Des. (FH) Robert Schlotter
Telephone number: ++49 176 813 564 16
Email address: firstname.lastname@example.org
Types of data processed:
– Basic data (e.g. names, addresses, etc.).
– Contact data (e.g. email addresses, telephone numbers, etc.).
– Content (e.g. text, photos, videos, etc.).
– Contractual data (e.g. subject of the contract, contractual duration, customer category, etc.).
– Payment data (e.g. bank details, payment history, etc.).
– Usage data (e.g. websites visited, content preferences, times of access, etc.).
– Metadata/communication data (e.g. device data, IP addresses, etc.).
Processing of special categories of personal data (GDPR Art. 9(1)):
No special categories of data are processed.
Categories of data subjects:
– Customers, interested parties, visitors to and users of the website, business partners.
– Visitors to and users of the website. Data subjects are hereinafter referred to collectively as “users”.
Purpose of data processing:
– Provision of the website, the content thereof and shop functions.
– Performance of contractual obligations and customer services.
– Responses to contact requests, communication with users.
– Marketing, advertising and market research.
– Security measures.
Version: January 18, 2021
1. Definition of terms
1.1. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); a natural person is deemed to be identifiable if they can be identified, whether directly or indirectly, on the basis of an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. “Processing” means any operation or series of operations performed on personal data either with or without the aid of automated procedures. The term is broad in nature and essentially includes every instance of data handling.
1.3. The “controller” is the natural or legal person, public authority, agency or other body that holds sole or joint responsibility for determining the purposes and means of the processing of personal data.
2.Definitive legal basis
As stipulated in GDPR Art. 13, we hereby inform you of the legal basis for our data processing operations. The following applies unless otherwise stated in this Data Protection Statement: The legal basis for data processing in connection with the sourcing of consent is defined in GDPR Art. 6(1) lit. a and GDPR Art. 7; the legal basis for data processing in connection with the performance of our contractual services and responses to enquiries is GDPR Art. 6(1) lit. b; the legal basis for data processing in connection with the fulfilment of our legal obligations is GDPR Art. 6(1) lit. c; the legal basis for data processing in connection with the safeguarding of our legitimate interests is GDPR Art. 6(1) lit. f. The legal basis for data processing required in order to protect the vital interests of the data subject or another natural person is GDPR Art. 6(1) lit. d.
3. Amendments and updates to this Data Protection Statement
We request that you keep yourself informed about the current content of this Data Protection Statement by referring back to it at regular intervals. Any relevant changes to our data processing operations will lead to the immediate amendment of this Data Protection Statement. We will inform you of such amendments insofar as they either require action on your part (e.g. declaration of consent) or require us to notify you individually.
4. Security measures
4.1. In accordance with GDPR Art. 32, and with consideration of the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the varying probability and severity of risks to the rights and liberties of natural persons, we implement suitable technical and organisational measures ensuring a level of security that is appropriate to the respective level of risk. Among other measures, this includes the safeguarding of data confidentiality, integrity and availability by monitoring and controlling physical access to data as well as the viewing, entry, editing, disclosure and availability thereof. We have also established procedures designed to safeguard the rights of data subjects, enable the deletion of data and counteract data compromises. Furthermore, we take the protection of personal data into account as early as the development and/or selection of hardware, software and procedures in accordance with the principle of data protection by design and default as defined in GDPR Art. 25.
4.2. Among others, security measures include the encrypted communication of data between your browser and our server.
5. Disclosure and transfer of data
5.1. We only disclose, transfer or otherwise make data accessible to other persons or companies (here: contracted processors or third parties) if we are legally permitted to do so (e.g. if the transfer of data to a third party such as a payment service provider is essential for the performance of a contract under the terms of GDPR Art. 6(1) lit. b), if you have granted you consent, if we are under a legal obligation to do so or if we are justified in doing so on the grounds of our legitimate interests (e.g. in connection with the use of authorised representatives, hosting providers, tax, business or legal consultants or external customer care, accounting, invoicing or similar services as a means of ensuring the efficient and effective performance of our contractual obligations, administrative tasks and other obligations).
5.2. The commissioning of third parties to process data on our behalf on the basis of a so-called “data processing agreement” occurs in accordance with GDPR Art. 28.
6. Transfer of data to third countries
Insofar as we process data in a third country (i.e. a country outside the European Union (EU) or the European Economic Area (EEA)) or data is process in a third country in connection with the use of third-party services or the disclosure or transfer of data to third parties, such processing only occurs if it is a prerequisite for the performance of our (pre)contractual obligations, if you have granted your consent, if we are under a statutory obligation to do so or if it justified on the grounds of our legitimate interests. Subject to statutory or contractual permission, we only process or allow data to be processed in a third country if the prerequisites defined in GDPR Art. 44 ff. are fulfilled. In other words: Processing is dependent on criteria such as special guarantees (e.g. official confirmation of compliance with EU data protection requirements, for example Privacy Shield certification) and adherence to officially approved contractual obligations (so-called “standard contractual clauses” as defined in GDPR Art. 28(6)).
7. Rights of data subjects
7.1. GDPR Art. 15 grants you the right to obtain confirmation as to whether or not personal data concerning you has been processed, and, if so, information on, access to and a copy of the personal data in question.
7.2. GDPR Art. 16 grants you the right to obtain the completion of incomplete personal data concerning you and the rectification of incorrect personal data concerning you.
7.3. GDPR Art. 17 grants you the right to obtain the deletion of personal data concerning you. Alternatively, GDPR Art. 18 grants you the right to obtain restrictions on the processing of data concerning you.
7.4. GDPR Art. 20 grants you the right to receive the personal data concerning you which you have submitted to us as well as the right to the transfer thereof to another controller without hindrance from us.
7.5. GDPR Art. 77 grants you the right to lodge a complaint with a supervisory authority.
8. Right of revocation
GDPR Art. 7(3) grants you the right to revoke your consent with future effect.
9. Right to object
GDPR Art. 21 grants you the right to object to any further processing of personal data concerning you at any time. In particular, your right to object can be used to prevent data processing for the purpose of direct advertising.
10. Cookies and the right to object to direct advertising
10.1. The term “cookies” refers to small files stored on the user’s devices. Cookies can be used to store a variety of data. The primary purpose of a cookie is to store data on a user (or the device on which the cookie is stored) during and/or after their visit to a website. Temporary cookies (also referred to as “session cookies” or “transient cookies”) are deleted when the user leaves the website and closes their browser. A cookie of this type might be used to store the content of a shopping basket in an online shop or the user’s login status. “Permanent” or “persistent” cookies remain stored on the device even after the user has closed their browser. To give an example, this makes it possible for the user’s login status to be stored even if there are a number of days between their visits to the respective site. Such cookies can also be used to store data on user interests for the purposes of reach analysis and marketing activities. “Third-party cookies” are cookies from providers other than the controller responsible for the respective website (whose cookies are referred to as “first-party cookies”).
10.2. We use temporary and permanent cookies and provide corresponding information in our Data Protection Statement. Users who do not wish to have cookies stored on their device are requested to deactivate the corresponding option in their browser settings. Cookies already stored on their device can be deleted using their browser settings. Users who object to cookies may experience restrictions on the functionality of this website.
11. Deletion of data
11.1. The data we process is deleted or the processing thereof restricted in accordance with GDPR Art. 17 and GDPR Art. 18. Unless otherwise stated in this Data Protection Statement, and provided no conflicting statutory obligations exist, the data we store is deleted as soon as it is no longer required for its original purpose. The processing of data that is not deleted because it is still required for other legally permissible purposes is restricted (i.e. the data is blocked and not used for other purposes). To give an example, this applies to data that must be stored for longer periods under the terms of commercial or tax law.
11.2. Germany: Statutory requirements stipulate data storage for a period of 6 years (under HGB § 257(1); applies to account books, inventories, opening balances, annual financial statements, business letters, vouchers, etc.) and 10 years (under AO § 147(1); applies to ledgers, records, financial reports, business letters, tax-related documents, etc.) respectively.
12. Order processing in the online shop, customer accounts
12.1. We process our customers’ data during the placement of orders in our online shop in order to enable them to select, order, pay for and arrange the shipping/performance of the selected products and services.
12.2. The data processed includes basic data, communication data, contractual data and payment data. The data subjects include our customers, interested parties and other business partners. Processing facilitates the performance of contractual services within the context of the operation of an online shop, invoicing, shipping and customer service. It involves the storage of session cookies (used to store the contents of the customer’s shopping basket) and permanent cookies (used to store the customer’s login status).
12.3. Processing is justified under the terms of GDPR Art. 6(1) lit. b (order processing) and GDPR Art. 6(1) lit. c (archiving in accordance with legal obligations). The entries marked as “required” are essential to the conclusion and performance of the contract. We only disclose data to third parties within the context of shipping, payment and compliance with statutory rights and obligations towards legal advisors and public authorities. Data is only processed in third countries if this is essential to the performance of the contract (e.g. as a result of customer requests regarding shipping and payment).
12.4. Users have the option to set up a user account which enables them to view their orders among other functions. Users are informed which entries are a prerequisite for registration. User accounts are not public and cannot be indexed by search engines. If a user cancels their user account the data included therein is deleted insofar as it is not necessary for such data to be stored for business or tax-related reasons under the terms of GDPR Art. 6(1) c. Data remains in the user’s account until such time as the account is deleted, after which it may be archived where necessary as a result of legal obligations. In the event of account cancellation it is up to the user to secure their data prior to the end of the contract.
12.5. The time at which the user is active and the IP address of their device is stored when they register on, log into or use our website. The data is stored on the grounds of our legitimate interests and as a means of protecting the user against misuse and other unauthorised use. As a basic principle the data is not disclosed unless it is required for the enforcement of our claims or we are legally obliged to do so under the terms of GDPR Art. 6(1).
12.6. Deletion occurs upon the expiry of statutory archiving periods and comparable obligations. The extent to which data storage continues to be necessary is checked every three years. Data to which statutory archiving obligations apply is deleted upon the expiry of the respective period (6 years in the case of commercial archiving obligations, 10 years in the case of tax-related archiving obligations). Data remains in the user’s account until such time as the account is deleted.
13. Business analysis and market research
13.1. We analyse available data on business processes, contracts, enquiries, etc. in order to maintain the commercial viability of our business and identify market trends and the requirements of our customers and users. This involves the processing of basic data, communication data, contractual data, payment data, usage data and metadata in accordance with GDPR Art. 6(1) lit. f. Data subjects include customers, interested parties, business partners, visitors to and users of our website. Analysis occurs for the purpose of business evaluation, marketing and market research. The data sets analysed include the profiles of registered users, which may contain data on their purchase processes among others. Analysis enables us to enhance user friendliness, optimise our services and remain commercially viable. Analysis occurs solely for our purposes. The results thereof are not disclosed to external recipients insofar as they do not take the form of combined values based on anonymised analysis.
13.2. Analyses and profiles attributable to specific data subjects are deleted or anonymised upon termination of the contract by the respective user and two years after the end of the contract in all other cases. As a basic principle, overall business analyses and general trend forecasts are drawn up on an anonymised basis wherever possible.
15. Contact and customer service
15.1. When a user contacts us (using our contact form or by email) the data they submit is processed during the handling of their enquiry in accordance with GDPR Art. 6(1) lit. b.
15.2. The data submitted by the user may be stored in our customer relationship management system (“CRM system”) or comparable enquiry handling systems.
15.3. We delete enquiries when they are no longer required. We check whether or not this is the case every two years. We store enquiries from customers who have a customer account on a permanent basis (please also refer to comments on the deletion of customer accounts). Statutory archiving obligations also apply.
16. Collection of access data and log files
16.1. We collect data on every instance of access to the server on which this service is located (so-called “server log files”) in accordance with GDPR Art. 6(1) lit f. Access data includes the name of the website and/or file retrieved, date and time of retrieval, volume of data transferred, confirmation of successful retrieval, browser type and version, user operating system, referrer URL (of the previous website visited), IP address and the provider from which the request came.
16.2. For security reasons (e.g. the investigation of cases of misuse or fraud) log file information is stored for a maximum period of seven days before being deleted. Data that needs to be kept as evidence is exempted from deletion until such time as the respective case has been definitively clarified.
17. Online presence on social media
17.1. In accordance with our legitimate interests under the terms of GDPR Art. 6(1) lit f., we maintain an online presence on social networks and platforms in order to communicate with customers, interested parties and users active on those networks and platforms and inform them about our services. The calling up of the respective networks and platforms is subject to the general terms and conditions and data processing policy operated by the respective provider.
17.2 Unless otherwise stated in our Data Protection Statement, we process users’ data when they communicate with us on social networks and platforms (e.g. by posting on our webpages or sending us messages).
21. Facebook Social Plugins
21.1. Our use of the Facebook Social Plugins provided by the social network facebook.com (operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, hereinafter referred to as “Facebook”) is justified by our legitimate interests under the terms of GDPR Art. 6(1) lit. f (here: our interest in the analysis, optimisation and commercially viable operation of our website). The plugins may take the form of interactive elements or content (e.g. videos, graphics or text) and are identifiable by one of Facebook’s logos (a white “f” on a blue square, the term “Like” (or translated equivalent) or a “thumbs-up” symbol) or labelled as a “Facebook Social Plugin”. A summary of Facebook Social Plugins and their appearance is available here: https://developers.facebook.com/docs/plugins/.
21.2. The Privacy Shield certification held by Facebook guarantees compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
21.3. When a user uses a function on this website that includes a Facebook Social Plugin their device creates a direct connection with Facebook’s servers. Facebook sends the content of the plugin directly to the user’s device, which in turn embeds it into this website. The data processed may be used to create usage profiles of website users. We therefore have no power over the scope of the data collected by Facebook with the aid of the plugin and are only able to inform users to the best of our knowledge.
21.4. Facebook is notified when the user retrieves the webpage into which the plugin is embedded. If the user is logged into their Facebook account Facebook is able to match their visit to their Facebook account. User interaction with plugins – for example the clicking of the “Like” button or the posting of a comment – sees the respective information sent directly from your device to Facebook, where it is stored on Facebook’s servers. Even if the user is not a member of Facebook, it is still possible for Facebook to determine and store their IP address. Facebook states that IP addresses are only stored in anonymised form in Germany.
21.5. Further information on the purpose and scope of the data collected, the subsequent processing and use thereof by Facebook, related rights and settings that can be used to protect user privacy is available in the Facebook Data Policy: https://www.facebook.com/about/privacy/.
21.6. Users who are Facebook members and do not wish Facebook to use this website to collect data concerning them are required to log out of Facebook prior to using this website and delete their cookies. Further opportunities to adjust your settings and object to the use of your data for advertising purposes are available in the ad preferences section of your Facebook profile (https://www.facebook.com/settings?tab=ads), on the U.S.-based webpage http://www.aboutads.info/choices/ and on the EU-based webpage http://www.youronlinechoices.com/. The settings you select are applied across all platforms (i.e. they are adopted by all devices, for example desktop computers and mobile devices).
22. Reach analysis using Matomo
22.1. Our use of reach analysis services provided by Matomo is justified by our legitimate interests under the terms of GDPR Art. 6(1) lit. f (here: our interest in the analysis, optimisation and commercially viable operation of our website) and involves the processing of the following data: Your browser type and version, your operating system, your country of origin, the date and time of the server request, the number of visits, how long you spend on the website and any external links you click on. Users’ IP addresses are anonymised before being stored.
22.3. Users can object to anonymised data collection by Matomo at any time and with future effect by clicking on the link given below. This will result in the storage of a so-called “opt-out cookie” in your browser and ensure that Matomo no longer collects any session data. If a user deletes their cookies this will also result in the deletion of the opt-out cookie, which will therefore need to be reactivated by the user.
27. Communication by post, email, fax or telephone
27.1 We carry out business transactions and marketing activities using various means of long-distance communication including postal correspondence, telephone calls and electronic mail (“email”). This involves the processing of basic data, address and contact data and contractual data on data subjects in the form of customers, participants, interested parties and communication partners.
27.2 Processing occurs in accordance with GDPR Art. 6(1) lit. a, GDPR Art. 7 and GDPR Art. 6(1) lit. f in combination with statutory guidelines on advertising communication. Contact only occurs with the consent of the respective counterpart or where legally permissible. The data processed is deleted as soon as it is no longer required or at such time as deletion becomes necessary due to an appeal/cancellation or the invalidation of the basis for continued storage and/or statutory archiving obligations.
28.1. In this section we inform you about the content of our newsletter, registration, dispatch, statistical evaluation procedures and your rights to object. If you subscribe to our newsletter you automatically declare your consent to the receipt thereof and the procedures described.
28.2. Newsletter content: We only send newsletters, emails and other electronic correspondence containing advertising (hereinafter referred to collectively as “newsletters”) with the consent of the recipient or as legally permitted. Newsletter content is fundamental to the user’s consent insofar as such content is clearly defined during the newsletter subscription process. Our newsletters also include information on our products, offers, campaigns and company.
28.3. Double opt-in and logging: We use the so-called “double opt-in” process for newsletter subscriptions. This means that after you have subscribed you will receive an email asking you to confirm your subscription. This “double” confirmation is necessary in order to prevent people from subscribing using third-party email addresses. Newsletter subscriptions are logged in order to ensure that the subscription process can be traced in accordance with legal requirements. This includes the logging of the time of subscription, the time of confirmation and the subscriber’s IP address. Changes to personal data concerning the subscriber stored by the external sender are also logged.
28.4. External sender: The newsletter is sent by MailChimp, a newsletter dispatch platform belonging to the US-based provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The external sender’s Data Protection Statement is available to view here: https://mailchimp.com/legal/privacy/. The Privacy Shield certification held by Rocket Science Group LLC d/b/a MailChimp guarantees compliance with European data protection requirements (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
28.5. Insofar as we use an external sender, that external sender has confirmed to us that they are able to use pseudonymised data (i.e. data in a form that cannot be attributed to a specific user) as a basis for the optimisation and improvement of their own services (e.g. the technical optimisation of the sending process and the way in which the newsletter is displayed) and statistical analysis (e.g. analysis of recipients’ countries of origin). The external sender neither uses data concerning our newsletter recipients to contact them on their own behalf nor discloses such data to third parties.
28.6. Subscription data: The only essential information required in order to subscribe to our newsletter is your email address. You also have the option to provide your name so that you can be addressed in person in the newsletter.
28.7. Performance analysis: Our newsletters contain a so-called “web beacon”. This pixel-sized file is retrieved by our server or, insofar as we use an external sender, the external sender’s server when you open the newsletter. Retrieval initially involves the collection of technical data such as data on your browser and operating system as well as your IP address and the time of retrieval. This data is used to carry out technical improvements based on not only technical data but also the target groups and their reading behaviour determined on the basis of the location at which they retrieve the newsletter (which can be determined with the aid of their IP address) and the time of retrieval. Statistical evaluation also includes the determination of whether or not the newsletter is opened, when it is opened and which of the links contained therein are clicked. Although the attribution of the aforementioned data to specific newsletter recipients is a technical possibility, it is neither our intention nor the intention of any external senders used to monitor individual users. On the contrary, performance analysis enables us to determine the reading patterns of our users, adapt our content to them and send out newsletters containing different information depending on the interests of the respective user.
28.8. Germany: Newsletter dispatch and performance analysis are justified on the grounds of the recipients’ consent in accordance with GDPR Art. 6(1) lit. a and GDPR Art. 7 in connection with UWG § 7 para. 2 no. 3 and on the grounds of legal permission in accordance with UWG § 7 para. 3.
28.9. Austria: Newsletter dispatch and performance analysis are justified on the grounds of the recipients’ consent in accordance with GDPR Art. 6(1) lit. a and GDPR Art. 7 in connection with TKG § 107 para. 2 and on the grounds of legal permission in accordance with TKG § 107 para. 2 & 3.
28.10. The logging of the subscription process is justified by our legitimate interest under the terms of GDPR Art. 6 (1) lit. f and serves to document consent to the receipt of the newsletter.
28.11. Newsletter recipients can unsubscribe from (i.e. revoke their consent to the sending of) our newsletter at any time. An “unsubscribe” link can be found at the bottom of every newsletter. Recipients who unsubscribe simultaneously revoke their consent to performance analysis. Separate revocation of consent to performance analysis is unfortunately not possible; recipients can therefore only revoke their consent to performance analysis if they unsubscribe from the newsletter. Unsubscription results in the deletion of personal data unless the continued storage thereof is legally required or justified, whereby it is to be noted that processing is restricted to these exceptional cases. In particular, it is in our legitimate interest to store the email addresses of former newsletter recipients for up to three years prior to deletion from our newsletter dispatch database, as we may be required to provide evidence that they once consented to the receipt of our newsletter. In this case data processing is restricted to defence against claims. An individual deletion request can be made at any time providing it can be confirmed that consent once existed.
29. Embedded third-party services and content
29.1. Our use of third-party services and content is justified by our legitimate interests under the terms of GDPR Art. 6(1) lit. f (here: our interest in the analysis, optimisation and commercially viable operation of our website) and involves the embedding of those third-party services and content, for example videos and fonts (hereinafter referred to as “content”). This always requires the third-party providers of such content to log the user’s IP address, as without the IP address the content cannot be sent to the user’s browser. The IP address is therefore a prerequisite for the display of the respective content. We endeavour to only use content from providers who only use the user’s IP address to deliver content. Third-party providers may also use so-called “pixel tags” (invisible graphics, also referred to as “web beacons”) for the purpose of statistical evaluation and marketing. Pixel tags can be used to evaluate data on visitor traffic on the webpages that make up this website. The pseudonymised data may also be stored in cookies on the user’s device and contain elements including technical information on the respective browser and operating system, referral URLs, time of visit and other information on the use of our website; they may also be matched to data from other sources.
29.2. The following list provides a summary of third-party providers and their content as well as links to their data protection statements, which contain further information on data processing and opt-out options (some of which have already been dealt with in this Data Protection Statement).
– If our customers use third-party payment services (e.g. PayPal) the general terms and conditions and data protection statements available to view on the websites or in the apps operated by the respective third-party providers apply.
– External fonts from Google, LLC., https://www.google.com/fonts (“Google Fonts”). The embedding of Google Fonts involves the retrieval of data from a Google server (which is generally located in the USA). Data Protection Statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
– Maps provided via the “Google Maps” service operated by third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data Protection Statement: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
– Videos provided via the YouTube platform operated by third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data Protection Statement: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.